OneLogin employee provisioning integration

In this article

The SCIM standard enables advanced provisioning in order to automate user lifecycle management for an application, including account creation, profile updates, authorization settings, and account deactivation.

If you’re using this new option from OneLogin and would like to update your Envoy + OneLogin integration, please contact us and read on.

How does this integration work?

If your team uses OneLogin for employee provisioning, you can use this integration to automatically keep your Envoy employee directory up to date: The SCIM push-based system treats the OneLogin directory as your source of truth. When changes are made in OneLogin, they push immediately to Envoy, so you don’t have to worry about the Envoy employee directory being out of sync with OneLogin.

Enabling the Envoy + OneLogin employee provisioning integration

Note: You’ll need to have OneLogin admin privileges to complete this integration. Either become an admin or ask your admin for help before completing these steps:

Step one: Prepare to enable the Envoy + OneLogin employee provisioning integration (with SCIM)

  1. Contact us. We need to enable this new integration option for your account.
  2. The employee directory will need to be cleared out to enable this integration. We can assist with this.
  3. Decide whether you’d like to sync all users to all locations or sync specific users per location. This will impact how you set up the integration.

Step two: Enable the Envoy + OneLogin employee provisioning (with SCIM) integration

Note: To enable this integration, you’ll need to have OneLogin admin privileges.

  1. If you haven’t already, please contact us before moving forward.
  2. Once you hear back from us, go to Settings > Integrations.
  3. Under employee directory, find the OneLogin logo and click “Install.”

Step three: Choose an employee sync filter

When you connect an OneLogin account, you have two options on how to sync employees to your directory. Choose the one that’s right for you:

  • Sync all employees: This is good for companies with one location, or if you prefer to have the same master Envoy employee directory at all locations within your company. OneLogin
  • Sync specific employees per location: Choose this option if you’d like to sync certain OneLogin users to certain locations (i.e., creating different Envoy employee directories per location).
    • You can filter employees by location in Envoy based on available filters like “City”. If your OneLogin account does not currently have City as a field, you will need to add it by navigating to the Users tab and clicking on Add Custom Field. Then you’ll need to manually map all users to the City field.
    • To sync users per location, you’ll have to select “Sync specific users per location” in your Envoy dashboard. Copy the new Bearer Token and paste it into the Bearer Token field in your OneLogin account.
    • To add a new location after the initial mapping, you’ll need to disconnect the integration in your Envoy dashboard, add the new location, and then reconnect the integration to OneLogin. Before doing so, ensure that your new location’s employees are mapped in your OneLogin directory. OneLogin

Step four: Configure OneLogin settings

  1. In your OneLogin account, navigate to your OneLogin dashboard.
  2. Click on Apps and then Add Apps.
  3. Find Envoy (SAML2.0, provisioning) in your app directory and add the app. OneLogin
  4. Click on the Envoy (SAML2.0, provisioning) icon and click Save.
  5. Now on the Envoy app configuration tab, copy the Oauth Bearer Token from Envoy and enter it in the API Token field in OneLogin. OneLogin
  6. Navigate to the Provisioning tab.
  7. Make sure that “Create Users,” “Update User Attributes,” and “Deactivate Users” are all set to disable (box not checked).
  8. Select “Delete User” on the dropdown field.
  9. Click on “Enable provisioning for Envoy”. OneLogin
  10. Click Save.
  11. Under the “More Options” button, click on “Reapply provisioning mappings”.
  12. Navigate back to the Envoy Employee directory > All employees and refresh. Your employees should have imported automatically.

Important notes

Regarding adding employees

  • With the OneLogin integration enabled, you cannot add employees manually. Please let us know if you’d like the ability to sync and add one-off employees manually.
  • When updating or adding employees, Envoy will match based on the primary email address listed for the OneLogin user. If the primary email address is not found in Envoy, a new employee will be added to the Envoy employee directory.

Regarding employee contact information

  • The primary email address and phone number listed in OneLogin will be the email address and phone number listed in the Envoy employee directory. If a OneLogin user does not have a primary email address, they will not be synced to the Envoy employee directory.